This query may cause a crash after the first run:
update nation set n_regionkey = (select o_custkey from orders where o_orderkey = n_nationkey and o_orderkey <= 40);
Unfortunately, on my machine, it seems to get the same exact address from malloc each time it calls make_cond_for_table() (sql_select.cc:11582), so while it keeps building the condStack, all the entries are pointing to the same cond and it won't always break. Sometimes it gets a different address and it crashes.

I have verified that the handlers are created once and re-used by breakpoint at ha_mcs.cpp:241

In sqlUpdate.cc: 741, we find:

      if (!table->file->cond_push(select->cond))

        table->file->pushed_cond= select->cond;

and at sqlUpdate.cc:1287 we have:

  if (table->file->pushed_cond)

  {

    table->file->pushed_cond= 0;

    table->file->cond_pop();

  }

But in this query, we get a cond_push for the orders subquery at sql_select.cpp:11581

             COND *push_cond= 

              make_cond_for_table(thd, tmp_cond, current_map, current_map,

                                  -1, FALSE, FALSE);

              if (push_cond)

              {

                /* Push condition to handler */

                if (!tab->table->file->cond_push(push_cond))

                  tab->table->file->pushed_cond= push_cond;

              }

There is no corresponding cond_pop() call. The condition pointer stays in our condStack which is used again for the next query using the "orders" table and condition pushdown.

I added cleanup code in ha_mcs::extra() for operation HA_EXTRA_DETACH_CHILDREN.

This doesn't look like appropriate place so we need to check whether handler::reset() got called before we reuse the handler.

As I can see our plugin lacks ::reset() method that must reset the cond stack. I'm 99% sure this is why we fail in the first place.

It did not make it into 1.5.3.

Build verified: 1.5.4-1 (Drone b414)

Repeated test005 three times without mariadbd crashing.